Signed-off-by: gwg313 <gwg313@pm.me>
This commit is contained in:
parent
ef827b2c69
commit
e507515766
43 changed files with 895 additions and 128 deletions
6
platform/argocd/argocd-cm-patch.yaml
Normal file
6
platform/argocd/argocd-cm-patch.yaml
Normal file
|
|
@ -0,0 +1,6 @@
|
|||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: argocd-cm
|
||||
namespace: argocd
|
||||
data: {}
|
||||
5
platform/argocd/kustomization.yaml
Normal file
5
platform/argocd/kustomization.yaml
Normal file
|
|
@ -0,0 +1,5 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- argocd-cm-patch.yaml
|
||||
|
|
@ -3,5 +3,7 @@ kyverno:
|
|||
replicas: 2
|
||||
features:
|
||||
loggingFormat: text
|
||||
policyExceptions:
|
||||
enabled: true
|
||||
telemetry:
|
||||
enabled: false
|
||||
|
|
|
|||
|
|
@ -17,6 +17,12 @@ spec:
|
|||
- resources:
|
||||
kinds:
|
||||
- Pod
|
||||
exclude:
|
||||
any:
|
||||
- resources:
|
||||
namespaceSelector:
|
||||
matchLabels:
|
||||
policy.home.arpa/allow-any-capabilities: "true"
|
||||
|
||||
validate:
|
||||
message: "All containers must drop ALL Linux capabilities."
|
||||
|
|
|
|||
|
|
@ -23,6 +23,10 @@ spec:
|
|||
selector:
|
||||
matchLabels:
|
||||
security.policy/allow-root: "true"
|
||||
- resources:
|
||||
namespaceSelector:
|
||||
matchLabels:
|
||||
policy.home.arpa/allow-root: "true"
|
||||
|
||||
validate:
|
||||
message: "Pods must set runAsNonRoot=true."
|
||||
|
|
@ -43,6 +47,10 @@ spec:
|
|||
selector:
|
||||
matchLabels:
|
||||
security.policy/allow-root: "true"
|
||||
- resources:
|
||||
namespaceSelector:
|
||||
matchLabels:
|
||||
policy.home.arpa/allow-root: "true"
|
||||
|
||||
validate:
|
||||
message: "All containers must set runAsNonRoot=true."
|
||||
|
|
|
|||
|
|
@ -11,6 +11,12 @@ spec:
|
|||
any:
|
||||
- resources:
|
||||
kinds: ["Pod"]
|
||||
exclude:
|
||||
any:
|
||||
- resources:
|
||||
namespaceSelector:
|
||||
matchLabels:
|
||||
policy.home.arpa/allow-hostpath: "true"
|
||||
|
||||
validate:
|
||||
message: "hostPath volumes are not allowed (escape risk)."
|
||||
|
|
|
|||
|
|
@ -23,6 +23,10 @@ spec:
|
|||
- tekton-pipelines
|
||||
- key: tekton.dev/task
|
||||
operator: Exists
|
||||
- resources:
|
||||
namespaceSelector:
|
||||
matchLabels:
|
||||
policy.home.arpa/allow-latest-tag: "true"
|
||||
validate:
|
||||
message: "Using the 'latest' tag or omitting image tags is forbidden. Use a specific version semantic tag."
|
||||
foreach:
|
||||
|
|
|
|||
|
|
@ -9,7 +9,7 @@ metadata:
|
|||
policies.kyverno.io/description: >-
|
||||
Automatically provisions a baseline CiliumNetworkPolicy
|
||||
with default deny ingress and controlled DNS egress.
|
||||
argocd.argoproj.io/sync-options: Force=true,Replace=true
|
||||
argocd.argoproj.io/sync-options: Replace=true
|
||||
|
||||
spec:
|
||||
background: true
|
||||
|
|
@ -55,6 +55,8 @@ spec:
|
|||
metadata:
|
||||
labels:
|
||||
security-tier: baseline
|
||||
annotations:
|
||||
argocd.argoproj.io/sync-options: Prune=false
|
||||
|
||||
spec:
|
||||
endpointSelector: {}
|
||||
|
|
|
|||
|
|
@ -0,0 +1,21 @@
|
|||
apiVersion: cilium.io/v1alpha1
|
||||
kind: TracingPolicy
|
||||
metadata:
|
||||
name: audit-network-connections
|
||||
annotations:
|
||||
security-tier: audit-baseline
|
||||
description: "Logs outound TCP connections at the kernel level."
|
||||
spec:
|
||||
kprobes:
|
||||
- call: "tcp_connect"
|
||||
syscall: false
|
||||
args:
|
||||
- index: 0
|
||||
type: "sock"
|
||||
selectors:
|
||||
- matchArgs:
|
||||
- index: 0
|
||||
operator: "NotDAddr"
|
||||
values:
|
||||
- "127.0.0.1"
|
||||
- "::1"
|
||||
|
|
@ -0,0 +1,23 @@
|
|||
apiVersion: cilium.io/v1alpha1
|
||||
kind: TracingPolicy
|
||||
metadata:
|
||||
name: audit-process-execution
|
||||
annotations:
|
||||
security-tier: audit-baseline
|
||||
description: "Logs all process executions (sys_execve) for cluster-wide visibility."
|
||||
spec:
|
||||
kprobes:
|
||||
- call: "sys_execve"
|
||||
syscall: true
|
||||
args:
|
||||
- index: 0
|
||||
type: "string"
|
||||
- index: 1
|
||||
type: "string_array"
|
||||
selectors:
|
||||
- matchPIDs:
|
||||
- operator: NotIn
|
||||
followForks: true
|
||||
isNamespacePID: true
|
||||
values:
|
||||
- 1
|
||||
|
|
@ -0,0 +1,9 @@
|
|||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- audit-process-execution.yaml
|
||||
- audit-network-connections.yaml
|
||||
|
||||
commonAnnotations:
|
||||
argocd.argoproj.io/sync-wave: "1"
|
||||
|
|
@ -2,11 +2,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1
|
|||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- tracingpolicy-shell-spawn.yaml
|
||||
- tracingpolicy-network-connections.yaml
|
||||
- tracingpolicy-sensitive-binaries.yaml
|
||||
- tracingpolicy-privilege-escalation.yaml
|
||||
- tracingpolicy-sensitive-file-access.yaml
|
||||
- 10-audit-baseline
|
||||
# - 20-enforce-execution
|
||||
# - 30-enforce-fim
|
||||
# - 40-enforce-network
|
||||
# - 50-enforce-privilege
|
||||
|
||||
commonLabels:
|
||||
app.kubernetes.io/part-of: tetragon-policies
|
||||
|
|
|
|||
|
|
@ -1,8 +0,0 @@
|
|||
apiVersion: cilium.io/v1alpha1
|
||||
kind: TracingPolicy
|
||||
metadata:
|
||||
name: detect-network-connections
|
||||
spec:
|
||||
tracepoints:
|
||||
- subsystem: tcp
|
||||
event: tcp_connect
|
||||
|
|
@ -1,9 +0,0 @@
|
|||
apiVersion: cilium.io/v1alpha1
|
||||
kind: TracingPolicy
|
||||
metadata:
|
||||
name: detect-privilege-escalation
|
||||
spec:
|
||||
kprobes:
|
||||
- call: "commit_creds"
|
||||
syscall: false
|
||||
return: true
|
||||
|
|
@ -1,29 +0,0 @@
|
|||
apiVersion: cilium.io/v1alpha1
|
||||
kind: TracingPolicy
|
||||
metadata:
|
||||
name: detect-sensitive-binary-execution
|
||||
spec:
|
||||
kprobes:
|
||||
- call: "security_bprm_check"
|
||||
syscall: false
|
||||
|
||||
selectors:
|
||||
- matchBinaries:
|
||||
- operator: In
|
||||
values:
|
||||
- /usr/bin/curl
|
||||
- /usr/bin/wget
|
||||
- /usr/bin/nc
|
||||
- /usr/bin/netcat
|
||||
- /usr/bin/nmap
|
||||
- /usr/bin/socat
|
||||
- /usr/bin/ssh
|
||||
- /usr/sbin/iptables
|
||||
- /usr/bin/apt
|
||||
- /usr/bin/apt-get
|
||||
|
||||
args:
|
||||
- index: 0
|
||||
type: string
|
||||
|
||||
return: true
|
||||
|
|
@ -1,25 +0,0 @@
|
|||
apiVersion: cilium.io/v1alpha1
|
||||
kind: TracingPolicy
|
||||
metadata:
|
||||
name: detect-sensitive-file-access
|
||||
spec:
|
||||
kprobes:
|
||||
- call: "security_file_open"
|
||||
syscall: false
|
||||
|
||||
selectors:
|
||||
- matchArgs:
|
||||
- index: 0
|
||||
operator: Prefix
|
||||
values:
|
||||
- /etc/shadow
|
||||
- /etc/passwd
|
||||
- /root
|
||||
- /proc/kcore
|
||||
- /var/run/secrets/kubernetes.io
|
||||
|
||||
args:
|
||||
- index: 0
|
||||
type: string
|
||||
|
||||
return: true
|
||||
|
|
@ -1,24 +0,0 @@
|
|||
apiVersion: cilium.io/v1alpha1
|
||||
kind: TracingPolicy
|
||||
metadata:
|
||||
name: detect-shell-spawn
|
||||
spec:
|
||||
kprobes:
|
||||
- call: "security_bprm_check"
|
||||
syscall: false
|
||||
|
||||
selectors:
|
||||
- matchBinaries:
|
||||
- operator: In
|
||||
values:
|
||||
- /bin/sh
|
||||
- /bin/bash
|
||||
- /bin/dash
|
||||
- /bin/ash
|
||||
- /busybox/sh
|
||||
|
||||
args:
|
||||
- index: 0
|
||||
type: string
|
||||
|
||||
return: true
|
||||
Loading…
Add table
Add a link
Reference in a new issue